Why Aren t HTTP-only Cookies More Widely Deployed?
|
|
- Paula Parker
- 6 years ago
- Views:
Transcription
1 Why Aren t HTTP-only Cookies More Widely Deployed? Yuchen Zhou University of Virginia yz8ra@virginia.edu David Evans University of Virginia evans@virginia.edu Abstract HTTP-only cookies were introduced eight years ago as a simple way to prevent cookie-stealing through cross-site scripting attacks. Adopting HTTP-only cookies seems to be an easy task with no significant costs or drawbacks, but many major websites still do not use HTTP-only cookies. This paper reports on a survey of HTTP-only cookie use in popular websites, and considers reasons why HTTP-only cookies are not yet more widely deployed. Index Terms HTTP-only, cookies, web application security, adoption of security technologies I. INTRODUCTION HTTP cookies are used as authentication tokens by nearly all websites that require user credentials. Cookies provide a way for websites to manage persistent state within the stateless HTTP protocol since browsers send cookies back to the server as part of the HTTP request header. An attacker who acquires a copy of an authentication cookie may be able to use it to impersonate the user and conduct a session on their behalf. The most common way to steal a cookie is through a cross-site scripting (XSS) attack. Since the injected script runs in the security context of the host site, it can access the cookie through the DOM (by reading document.cookie) and can transmit its value to a server controlled by the attacker (for example, by embedding the cookie value in the URL of an image). XSS attacks remain one of the largest security problems on the web [7] and major sites continue to be vulnerable to them. A recent serious attack against apache.org used a XSS attack to steal authentication cookies [2]. XSS attacks also emerged at the iphone version of Facebook in January 2010 [12]). The idea of HTTP-only cookies is to denote cookies that are not visible through the DOM. HTTP-only cookies were introduced by Microsoft in 2002 and first implemented in Internet Explorer 6 [13]. To mark a cookie as HTTP-only, the HTTP-only attribute [15] is added to the cookie field. A browser that supports HTTP-only cookies sends the cookies back in HTTP request headers, but will not permit a script to access an HTTP-only cookie. However, as we discuss in Section 3, HTTP-only cookies do not prevent all XSS exploits and using them is not a substitute for eliminating XSS vulnerabilities, but judicious use of HTTP-only cookies does make certain exploits impossible. Despite their apparent simplicity, HTTP-only cookies require both clients and sites to change like many proposed web security enhancements. This makes adoption a difficult challenge, and it has taken many years for HTTP-only to reach critical mass. Some key events of the deployment of HTTPonly are shown in Figure 1. It took more than five years for Firefox to add HTTP-only support, and some popular web frameworks still do not support it today (see Section III). In this paper, we evaluate the effectiveness of HTTP-only cookies (Section II) and report on a survey of the use of HTTPonly cookies by popular sites and web application frameworks (Section III). We discuss the possible reasons why HTTPcookies are still not universally adopted more than eight years since they were introduced (Section IV). We are not able to reach a definitive answer why HTTP-only cookies are not more widely deployed, but we hope the experience with HTTP-only cookies can provide insight into what make proposed security technologies succeed or fail, and how to overcome some of the hurdles to widespread adoption. II. EFFECTIVENESS OF HTTP-ONLY COOKIES HTTP-only cookies are a defense-in-depth strategy. They do not eliminate XSS vulnerabilities, but make it more difficult to exploit them by preventing cookie-stealing. Here, we consider how valuable this mitigation is in practice, and how well the HTTP-only defense satisfies its goals. A. Other ways to exploit cross-site scripting There are many ways to exploit cross-site scripting attacks other than stealing cookies. An attacker may be able to inject a script to capture and transmit the user s keystrokes, or use an injected script to issue requests directly using the user s credentials. These attacks do not necessarily need to steal cookies, but instead just take advantage of the fact that authenticated users have cookies stored in their browser that are automatically appended to HTTP request headers. Nevertheless, cookie stealing enables certain exploits that benefit from persistent access to the user s credentials. In addition, cookies may contain private information that could not be exposed otherwise. Various defenses such as tying cookies to IP addresses, setting the expiration time for a cookie, and encrypting private content in cookies may mitigate some of these threats. However, studies indicate that as many as 3% of users change their IP address during a session [8], which makes IP address checking inappropriate.
2 Fig. 1. HTTP-Only Deployment Timeline B. Other Ways to Steal Cookies HTTP-only cookies only prevent cookies from being accessed through the DOM in scripting-related attacks, but provide no defense against other ways of stealing cookies. Another way to steal cookies is to eavesdrop on network traffic. Eavesdropping is mitigated by cryptographic measures, most notably TLS/SSL. Cookies that have a secure attribute should only be sent over HTTPS [9]. This policy is enforced by all current major browsers. An attacker who has more access to a victim s machine may also be able to steal cookies by accessing local files. As long as the browser stores cookies in a sensible way, however, an attacker who is able to do this probably has enough access to the victim s machine to also install a keylogger and acquire the login credentials directly. C. Vulnerabilities with HTTP-only Cookies Even if HTTP-only cookies are used and an attacker needs to use an injected script to exfiltrate the cookies, other techniques such as cross-site tracing and using XMLHttpRequests may enable an attacker to steal HTTP-only cookies. Cross-site tracing. The HTTP TRACE request is a method designed for debugging problems such as network connection errors between servers. When a client sends a TRACE request to a compliant server, the server responds by echoing back the header sent by the client. An attacker can exploit this to circumvent HTTP-only cookies by injecting code that sends an asynchronous XMLHttpRequest with the TRACE method and receiving the HTTP-only cookie in the message echoed-back by the server [6]. This vulnerability was reported in a US- CERT vulnerability note [11], recommending that web servers reject TRACE requests. The latest version of Apache (Version 2.2) still enables the TRACE method by default. However, recent browsers, including Firefox 3.6 and IE 8, no longer allow XMLHttpRequests that use the TRACE method. Section III reports results from our survey showing that many servers still respond to TRACE requests. XMLHttpRequest related attacks. Another way to circumvent HTTP-only restrictions is to exploit the fact that HTTP-only cookies may still be included in responses to non- TRACE XMLHttpRequests. Some web applications set an authentication cookie on every response even if the previous request already included a cookie. For such sites, simply sending a XMLHttpRequest to the site and collecting the response (which contains an authentication cookie) works just as well as cross-site tracing attacks [19]. Browsers can thwart this attack by blocking set-cookie headers in the responses. This could also be mitigated at the server side by not resending authentication cookies to requests that already include cookies. All major recent browsers (including IE 8 1, Firefox 3.6, Opera 10.10, Google Chrome 4.1 and Safari 4.0.5) strip cookies from responses to XMLHttpRequests, so are not vulnerable to this attack. Users with older browsers, however, may still be vulnerable to these attacks if servers return authentication cookies in response to incoming HTTP requests that already contain authentication cookies. III. SURVEY OF HTTP-ONLY COOKIE USE We conducted a survey of popular web sites to determine how widely HTTP-only cookies are deployed and whether or not sites using HTTP-only cookies are vulnerable to the attacks described in the previous section. Sample. Our survey sample is based on the global top 100 sites according to Alexa.com [1]. We excluded 29 sites that do not use authentication cookies (e.g., 6 adult sites, and 15 sites that substantially duplicate previous sites (e.g., was excluded in favor of com). This left the set of 50 sites shown in Table I. Methodology. To conduct the survey, we wrote a simple Firefox extension that searches for the HTTP-only string in setcookie header fields. We used an automated script to load each test URL and determine if the site issues HTTP-only cookies. We wrote an extension instead of using network packet sniffer such as Wireshark because many of the sites use SSL, which 1 Unlike other browsers, IE 8 prevents accesses to HTTP-only cookies, but not to non-http-only cookies. Firefox and all other browsers prevent accesses to all cookies, regardless of HTTP-only field.
3 would prevent us for observing the plaintext headers. By using a Firefox extension, we can see the decrypted headers. We could automate testing for HTTP-only cookies before login, but to see if sites used HTTP-only for authentication cookies we needed to perform sessions as authenticated users. We did not find a satisfactory way to automate this, so we manually registered for all sites, logged in, and tested if they are using HTTP-only cookies. 2 Results. The results of our survey are summarized in Table I. Among the 50 major sites that we tested, 8 of them use HTTP-only cookies before the user logs in, and 16 more sites issue HTTP-only cookies after the user logs in. A slight majority (26) of the sites do not use HTTP-only cookies at all. This includes many very popular and commercial sites such as amazon.com, twitter.com, and mail.yahoo.com. It is also surprising that some sites (e.g., ebay.com, yahoo.com) do use HTTP-only cookies, but not for authentication cookies. Nearly eight years after its introduction, this simple security option is still not deployed by the majority of websites. We speculate on reasons for this in Section IV. Vulnerabilities. As we discussed earlier, there are potential vulnerabilities in HTTP-only cookies which we examine here. As mentioned previously, both threats are mitigated by most modern browsers but users using older browsers may still be vulnerable. First, we checked if these sites correctly reject TRACE requests. Our expected return value should be 403 Forbidden or 405 Method not Allowed. As we can see from Table I, 7 out of the 50 sites respond with either 200 OK or 302 Found to TRACE requests. These sites would be vulnerable to cross-site tracing attacks for users whose browsers do not block these requests. We also checked all the sample sites to see if these sites return a set-cookie header in the response to an XMLHttpRequest, and what is the browser behavior to this. None of the 24 sites that use HTTP-only authentication cookies returned cookies in responses to requests that already contained authentication cookies, so they were not vulnerable to this problem. Of the other 26 sites, there are five sites that return authentication tokens in response to these requests. Since these sites are not currently using HTTP-only, they are already vulnerable to cookie-stealing XSS attacks. However, even if they mark their cookies at HTTP-only these sites would still be vulnerable to the XMLHttpRequest attack. Web Frameworks. Given the need to manually create and account and login to a site to test if its authentication cookies use HTTP-only, it was not feasible to perform a large scale survey of less popular websites. Instead, we observe that many websites today are built using web frameworks, and it is likely that most sites built with frameworks will use their default cookie and authentication options. The adoption path for web frameworks also illustrates some of the challenges in getting new security technologies widely adopted. 2 We attempted to use bugmenot [5] to automate logins, but found that most sites blocked accounts known to be from bugmenot. On by Default Supported but off by default Not Supported vbulletin 4.0, 22 Feb 2010 Ruby on Rails (Mar 2009) Symfony 1.4 (Feb 2010) Ruby on Rails (Nov 2008) Django (July 2009) Spring Framework 3.0 (Feb 2010) Pylons (2008) Ruby on Rails (Oct 2008) TABLE II WEB FRAMEWORK HTTP-ONLY SUPPORT AND DEPLOYMENT Table II summarizes support for HTTP-only cookies in several popular web frameworks. The results are collected by either using documentation or replies from the web framework s development team, or by directly examining the cookie implementation source code in cases where a definitive answer was not found. The latest version of Ruby on Rails is the only open source framework we found that set HTTP-only flag on by default. The previous version of Rails and the current version of Symfony) both support HTTP-only but it needs to be manually configured by users Another framework that appears to set HTTP-only on by default is vbulletin, a close-source commercial product that is used by many Internet forums. 3 The other frameworks we examined do not support HTTP-only. Pylons does not provide support for authenticating users but instead relies on third party authentication addons like Authkit and Repoze.who (neither of which support HTTP-only). Django includes support for authentication which does not support HTTP-only, but there is an unofficial patch available for it which we discuss further in Section IV. IV. DISCUSSION Despite their apparent security benefits, simplicity, and lack of obvious drawbacks, our survey shows that HTTP-only cookies are, after eight years, still only deployed on about half of major websites and not used by default on most web frameworks. We sent requests to all the sites that were not using HTTP-only cookies, but have not received any illuminating replies. Here, we consider several possible reasons why HTTP-only cookies may not be used. Protection effectiveness. As discussed in Section II, HTTP-only cookies are a defense-in-depth mechanism intended to thwart a particular way of exploiting a XSS vulnerability. However, XSS attacks are not targeted merely for cookie stealing. It is also possible that a site considers the other ways of exploiting a XSS vulnerability to be just as severe as the cookie-stealing prevented by HTTP-only cookies. This scenario makes it plausible for developers to focus more on XSS defenses than merely HTTP-only cookie mechanism adoption. In addition to this, sites may elect not to employ HTTPonly cookies because they believe their site is not vulnerable to XSS exploits. However, we find this reason hard to support 3 Our results for vbulletin are based on testing a sample of websites built using it. Sites built with vbulletin 4.0 consistently use HTTP-only cookies
4 Type No. Sites 4shared.com 1, adobe.com 2a, amazon.com 2, baidu.com, cnet.com 2a, cnn.com 2, craigslist.org, dailymotion. com, digg.com 2, ebay.com 2, espn.go.com 2, flickr.com 2a, hotfile.com, imageshack.us 2, imdb.com 1, No HTTP-Only Authentication Cookies 26 kaixin001.com 1a, linkedin.com 2, livejournal.com, mail.yahoo.com, mail.qq.com, mediafire.com 2, megaupload.com a, megavideo.com a, msn.com 2, nytimes.com 1, orkut.com, renren.com 2, soso.com, thepriatebay.org 2, tudou.com, twitter.com 1, yahoo.com 2, youku.com 2 aol.com 2, blogger.com, conduit.com 2, doubleclick.com, google.com, facebook.com, hi5.com 2, Use HTTP-only 24 live.com, mail.163.com, mail.sina.com.cn, myspace.com 2, photobucket.com 2, sohu.com 2, taobao.com a, wikipedia.org a, wordpress.com 2, youtube.com 2, TABLE I SURVEY RESULTS 1 Sites that respond with authentication cookies to every HTTP request (potentially vulnerable to XMLHttpRequest attack). 2 Sites that respond with non-authentication cookies to every HTTP request. a Sites that respond with 200/302 to HTTP TRACE requests. as several of the sites in our survey that do not use HTTPonly cookies have been vulnerable to XSS attacks (e.g., twitter. com [18] and nytimes.com [14]). Page functionality. Making cookies HTTP-only can disrupt web page functionality by preventing scripts from reading the value of cookies. There is little, if any, reason why a well designed website would include scripts that access state from authentication cookies directly, but it may be difficult to remove all uses from legacy code. We did a experiment to test whether making cookies HTTPonly would break any of the survey sites. Since we are not able to modify the servers, we developed a Firefox extension to append the HTTP-only attribute at the client side. Even though to do a complete dynamic test on any one website is impossible, we distributed our extension to a small group of users for experiments and no users reported encountering any problems. We also explicitly tested the 26 sample sites that did not use HTTP-only. Only one site, the Chinese social networking site renren.com, experienced any problems. This site includes an online chatting system that rejects all user logins when our extension is running (other functions on the site continue to work normally). We examined their script [17] and found that is does retrieve values from authentication cookies using code like uin=this.getcookie("userid");. Although our extension was written primarily to conduct this experiment, the results indicate that it could be used to provided added protection for clients who visit websites that do not use HTTP-only cookies. Software stack compatibility. As a result of our survey results, we asked the Django development team why they had not added support for HTTP-only cookies. They have pointed out a thread that offered some explanation [3]. Python version (2.5) does not support HTTP-only cookies, although support was added to Python v2.6 (released October 2008). Since the Django framework is based on Python, it uses Python web authentication module directly instead of its own cookie handling mechanism. As Django does not want to lose backward compatibility (servers running 2.5 or earlier version of Python would encounter error when cookie.http-only = true is called in the server side script), they are unwilling to support HTTP-only. Standards compliance. Another reason frameworks and sites may not use HTTP-only cookies is HTTP-only is not part of the cookie specification [9]. Using HTTP-only cookies might break existing web clients or other web infrastructure. This problem could have been avoided if instead of introducing a new attribute, HTTP-only was implemented by just defining a new property (e.g., HTTPonly = True;). This would be consistent with the cookie specification. For browsers that do not support HTTP-only this would not introduce errors, but browsers that support this property could interpret the HTTPonly property as the HTTP-only attribute is interpreted. Django developers also explicitly pointed out that this is one minor reason that they hesitated to implement HTTP-only, and it may also explain why other frameworks do not turn it on by default. As far as we know HTTP-only has finally made it to the newest IETF cookie protocol draft [4] by Adam Barth at Mar of By now we could only hope that this draft get accepted at this moment, but still cannot be too optimistic about the deployment of the protocol. Difficulty to deploy client-server solutions. Finally, we observe that the challenge of deploying any mechanism that involves changes to both clients and servers is not unique to HTTP-only, but a longstanding issue in network evolution. Any mechanism that provides benefits only with both endpoints in a network adopt it faces major hurdles in deployment. A similar (but even less successful) deployment experience applies to the Set-Cookie2 header which first appeared in RFC2965 [10]. It was introduced ten years ago with the goal of adding more security features to the previous Set-Cookie header (e.g., each cookie specifies a port and browsers should return cookies only if they match the corresponding port). Browsers are also required to include information on how the cookie was set with the returned cookie. Unlike HTTP-only, Set-Cookie2 has not been adopted by any major browsers, and very few servers use it. Many network protocols such as TLS involve a handshake protocol where the endpoints negotiate the highest level protocol they have in common. This allows new versions to be deployed while maintaining backwards compatibility, but reduces the incentive for endpoints to update their implementations. Various efforts have been made to try to support more dynamic deployment of network protocols including STP [16]. This
5 requires mechanisms for running untrusted code on network hosts to automatically implement a new protocol, so dynamic protocol updating raises additional security concerns. V. CONCLUSION HTTP-only is a mechanism that was introduced eight years ago and appears to be very simple to implement and deploy, but has not yet been widely deployed. Some of this may be due to questions about the real value of HTTP-only in thwarting XSS exploits, but it is also clear that HTTP-only does thwart some exploits and it has very little cost. This example illustrates the difficulty in deploying even simple security mechanisms that require cooperation between servers and clients, as well as considering interactions with other web functionalities (especially XMLHttpRequest). The value of the mechanisms is only realized when both servers and clients implement it correctly, so it takes a long time to achieve enough critical mass to achieve widespread deployment. [17] Qian Xiang Company. A Sample Script of using document.cookie at Client-side Javascript [18] James Slater. Massive Twitter Cross-Site Scripting Vulnerability. massive-twitter-cross-site-scripting-vulnerability.html, [19] Wladimir Palant. XMLHttpRequest Allows Reading HTTP-only Cookies. bug.cgi?id=380418, ACKNOWLEDGEMENTS We would like to thank anonymous reviewers for their helpful comments. We thank Yan Huang for help developing the Firefox extension. This work was funded in part by the National Science Foundation (awards and ) and AFOSR (MURI). REFERENCES [1] Alexa. Top Sites Provided by Alexa the Web Information Company. [2] Apache Infrastructure Team. Cookie Stealing XSS Attacks on Apache Server. org , [3] Arvin. Discussion Thread of Django HTTP-only Support [4] Adam Barth. HTTP State Management Mechanism Draft [5] Bugmenot development team. An Automated Login Script to Bypass Compulsory Registration. [6] Jeremiah Grossman. Cross-Site Tracing (XST): The New Techinques and Emerging Threats to Bypass Current Web Security Measures using TRACE and XSS. Technical report, WhiteHat Security, [7] Jeremiah Grossman. Seventh Website Security Statistics Report. Technical report, WhiteHat Security, [8] Paul Johnston. Authentication and Session Management on Web. Technical report, Westpoint White Papers, [9] D. Kristol. Request For Comments 2109: HTTP State Management Mechanism [10] D. Kristol. Request For Comments 2965: HTTP State Management Mechanism [11] Art Manion. Vulnerability Note VU#867593: Web Servers Enable HTTP TRACE Method by Default [12] Marco Jetson. An iphone XSS exploit [13] Microsoft Corporation. Mitigating Cross-Site Scripting with HTTP-only Cookies [14] Mox. An Example of XSS Exploit in nytimes.com [15] OWASP, Open Web Application Security Project. Introduction of HTTP-only Cookies [16] Parveen Patel, Andrew Whitaker, David Wetherall, Jay Lepreau, and Tim Stack. Upgrading Transport Protocols using Untrusted Mobile Code. ACM SOSP, 2003.
Robust Defenses for Cross-Site Request Forgery
University of Cyprus Department of Computer Science Advanced Security Topics Robust Defenses for Cross-Site Request Forgery Name: Elena Prodromou Instructor: Dr. Elias Athanasopoulos Authors: Adam Barth,
More informationRKN 2015 Application Layer Short Summary
RKN 2015 Application Layer Short Summary HTTP standard version now: 1.1 (former 1.0 HTTP /2.0 in draft form, already used HTTP Requests Headers and body counterpart: answer Safe methods (requests): GET,
More informationProtect your apps and your customers against application layer attacks
Protect your apps and your customers against application layer attacks Development 1 IT Operations VULNERABILITY DETECTION Bots, hackers, and other bad actors will find and exploit vulnerabilities in web
More informationEasyCrypt passes an independent security audit
July 24, 2017 EasyCrypt passes an independent security audit EasyCrypt, a Swiss-based email encryption and privacy service, announced that it has passed an independent security audit. The audit was sponsored
More informationCSE361 Web Security. Attacks against the client-side of web applications. Nick Nikiforakis
CSE361 Web Security Attacks against the client-side of web applications Nick Nikiforakis nick@cs.stonybrook.edu Despite the same origin policy Many things can go wrong at the client-side of a web application
More informationWeb basics: HTTP cookies
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh November 20, 2017 1 / 32 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the
More informationReal-world security analyses of OAuth 2.0 and OpenID Connect
Real-world security analyses of OAuth 2.0 and OpenID Connect Wanpeng Li and Chris J Mitchell 1 Agenda Single sign-on and identity management OAuth 2.0 Two case studies Security analyses OpenID Connect
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationEvaluating the Security Risks of Static vs. Dynamic Websites
Evaluating the Security Risks of Static vs. Dynamic Websites Ballard Blair Comp 116: Introduction to Computer Security Professor Ming Chow December 13, 2017 Abstract This research paper aims to outline
More informationTesting login process security of websites. Benjamin Krumnow
Testing login process security of websites Benjamin Krumnow Benjamin Krumnow 2 Initial Project: Shepherd Marc Sleegers, B.Sc., master student at the Open University Bachelor Thesis, March 2017 [1] Counting
More informationWEB SECURITY: XSS & CSRF
WEB SECURITY: XSS & CSRF CMSC 414 FEB 22 2018 Cross-Site Request Forgery (CSRF) URLs with side-effects http://bank.com/transfer.cgi?amt=9999&to=attacker GET requests should have no side-effects, but often
More informationWeb basics: HTTP cookies
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh February 11, 2016 1 / 27 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the
More informationHow is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach
Web basics: HTTP cookies Myrto Arapinis School of Informatics University of Edinburgh March 30, 2015 How is state managed in HTTP sessions HTTP is stateless: when a client sends a request, the server sends
More informationSOLUTION BRIEF. Enabling and Securing Digital Business in API Economy. Protect APIs Serving Business Critical Applications
Enabling and Securing Digital Business in Economy Protect s Serving Business Critical Applications 40 percent of the world s web applications will use an interface Most enterprises today rely on customers
More informationTIBCO Cloud Integration Security Overview
TIBCO Cloud Integration Security Overview TIBCO Cloud Integration is secure, best-in-class Integration Platform as a Service (ipaas) software offered in a multi-tenant SaaS environment with centralized
More informationRobust Defenses for Cross-Site Request Forgery Review
Robust Defenses for Cross-Site Request Forgery Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka October 16, 2011 1 Introduction to the topic and the reason for the topic
More informationPrevention Of Cross-Site Scripting Attacks (XSS) On Web Applications In The Client Side
www.ijcsi.org 650 Prevention Of Cross-Site Scripting Attacks (XSS) On Web Applications In The Client Side S.SHALINI 1, S.USHA 2 1 Department of Computer and Communication, Sri Sairam Engineering College,
More informationUsing the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway
Using the Cisco ACE Application Control Engine Application Switches with the Cisco ACE XML Gateway Applying Application Delivery Technology to Web Services Overview The Cisco ACE XML Gateway is the newest
More informationRobust Defenses for Cross-Site Request Forgery
Robust Defenses for Cross-Site Request Forgery Tsampanaki Nikoleta Lilitsis Prodromos Gigis Petros Paper Authors: Adam Barth, Collin Jackson, John C. Mitchell Outline What is CSRF attack? What is a login
More informationEthical Hacking and Countermeasures: Web Applications, Second Edition. Chapter 3 Web Application Vulnerabilities
Ethical Hacking and Countermeasures: Web Chapter 3 Web Application Vulnerabilities Objectives After completing this chapter, you should be able to: Understand the architecture of Web applications Understand
More informationThe World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to
1 The World Wide Web is widely used by businesses, government agencies, and many individuals. But the Internet and the Web are extremely vulnerable to compromises of various sorts, with a range of threats
More informationWHY CSRF WORKS. Implicit authentication by Web browsers
WHY CSRF WORKS To explain the root causes of, and solutions to CSRF attacks, I need to share with you the two broad types of authentication mechanisms used by Web applications: 1. Implicit authentication
More informationMODERN WEB APPLICATION DEFENSES
MODERN WEB APPLICATION DEFENSES AGAINST DANGEROUS NETWORK ATTACKS Philippe De Ryck SecAppDev 2017 https://www.websec.be SETUP OF THE HANDS-ON SESSION I have prepared a minimal amount of slides Explain
More informationNetwork-based Origin Confusion Attacks against HTTPS Virtual Hosting
Network-based Origin Confusion Attacks against HTTPS Virtual Hosting Antoine Delignat-Lavaud, Karthikeyan Bhargavan Prosecco, Inria Paris-Rocquencourt 1 The Web Security Protocol Stack JavaScript runtime
More informationCIS 4360 Secure Computer Systems XSS
CIS 4360 Secure Computer Systems XSS Professor Qiang Zeng Spring 2017 Some slides are adapted from the web pages by Kallin and Valbuena Previous Class Two important criteria to evaluate an Intrusion Detection
More information2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun
CYSE 411/AIT 681 Secure Software Engineering Topic #11. Web Security Instructor: Dr. Kun Sun Secure Coding String management Pointer Subterfuge Dynamic memory management Integer security Formatted output
More informationSecurity and Privacy. SWE 432, Fall 2016 Design and Implementation of Software for the Web
Security and Privacy SWE 432, Fall 2016 Design and Implementation of Software for the Web Today Security What is it? Most important types of attacks Privacy For further reading: https://www.owasp.org/index.php/
More informationApplication Security Introduction. Tara Gu IBM Product Security Incident Response Team
Application Security Introduction Tara Gu IBM Product Security Incident Response Team About Me - Tara Gu - tara.weiqing@gmail.com - Duke B.S.E Biomedical Engineering - Duke M.Eng Computer Engineering -
More informationWeb Application Security
Web Application Security Rajendra Kachhwaha rajendra1983@gmail.com October 16, 2015 Lecture 16: 1/ 14 Outline Browser Security Principles: 1 Cross Site Scripting (XSS) 2 Types of XSS 3 Lecture 16: 2/ 14
More informationComputer Security 3e. Dieter Gollmann. Chapter 18: 1
Computer Security 3e Dieter Gollmann www.wiley.com/college/gollmann Chapter 18: 1 Chapter 18: Web Security Chapter 18: 2 Web 1.0 browser HTTP request HTML + CSS data web server backend systems Chapter
More informationThe PKI Lie. The OWASP Foundation Attacking Certificate Based Authentication. OWASP & WASC AppSec 2007 Conference
The PKI Lie Attacking Certificate Based Authentication Ofer Maor CTO, Hacktics OWASP & WASC AppSec 2007 Conference San Jose Nov 2007 Copyright 2007 - The OWASP Foundation Permission is granted to copy,
More informationSichere Software vom Java-Entwickler
Sichere Software vom Java-Entwickler Dominik Schadow Java Forum Stuttgart 05.07.2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN We can no longer
More informationThe 2011 IDN Homograph Attack Mitigation Survey
Edith Cowan University Research Online ECU Publications 2012 2012 The 2011 IDN Homograph Attack Survey Peter Hannay Edith Cowan University Gregory Baatard Edith Cowan University This article was originally
More informationWelcome to the OWASP TOP 10
Welcome to the OWASP TOP 10 Secure Development for Java Developers Dominik Schadow 03/20/2012 BASEL BERN LAUSANNE ZÜRICH DÜSSELDORF FRANKFURT A.M. FREIBURG I.BR. HAMBURG MÜNCHEN STUTTGART WIEN 1 AGENDA
More informationSecure Development Guide
Secure Development Guide Oracle Health Sciences InForm 6.1.1 Part number: E72493-01 Copyright 2016, Oracle and/or its affiliates. All rights reserved. This software and related documentation are provided
More informationMan in the Middle Attacks and Secured Communications
FEBRUARY 2018 Abstract This document will discuss the interplay between Man in The Middle (MiTM/ MITM) attacks and the security technologies that are deployed to prevent them. The discussion will follow
More informationBROWSER POLICY: DESCRIPTION OF SUPPORT 2 SUPPORTED BROWSERS 2 TIER 2 SUPPORTED BROWSERS 2 UNSUPPORTED BROWSERS 2
Browser Policy June 2016 Table of Contents BROWSER POLICY: DESCRIPTION OF SUPPORT 2 SUPPORTED BROWSERS 2 TIER 1 SUPPORTED BROWSERS 2 TIER 2 SUPPORTED BROWSERS 2 UNSUPPORTED BROWSERS 2 SCOPE OF APPLICABILITY
More informationDefeating All Man-in-the-Middle Attacks
Defeating All Man-in-the-Middle Attacks PrecisionAccess Vidder, Inc. Defeating All Man-in-the-Middle Attacks 1 Executive Summary The man-in-the-middle attack is a widely used and highly preferred type
More information86% of websites has at least 1 vulnerability and an average of 56 per website WhiteHat Security Statistics Report 2013
Vulnerabilities help make Web application attacks amongst the leading causes of data breaches +7 Million Exploitable Vulnerabilities challenge organizations today 86% of websites has at least 1 vulnerability
More informationDreamFactory Security Guide
DreamFactory Security Guide This white paper is designed to provide security information about DreamFactory. The sections below discuss the inherently secure characteristics of the platform and the explicit
More informationNoScript, CSP and ABE: When The Browser Is Not Your Enemy
NoScript, CSP and ABE: When The Browser Is Not Your Enemy Giorgio Maone CTO, NoScript lead developer InformAction OWASP-Italy Day IV Milan 6th, November 2009 Copyright 2008 - The OWASP Foundation Permission
More informationTHE STATE OF MEDIA SECURITY HOW MEDIA COMPANIES ARE SECURING THEIR ONLINE PROPERTIES
THE STATE OF MEDIA SECURITY HOW MEDIA COMPANIES ARE SECURING THEIR ONLINE PROPERTIES TABLE OF CONTENTS 3 Introduction 4 Survey Findings 4 Recent Breaches Span a Broad Spectrum 4 Site Downtime and Enterprise
More informationProvide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any
OWASP Top 10 Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any tester can (and should) do security testing
More informationOWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example
Proxy Caches and Web Application Security Using the Recent Google Docs 0-Day as an Example Tim Bass, CISSP Chapter Leader, Thailand +66832975101, tim@unix.com AppSec Asia October 21, 2008 Thailand Worldwide
More informationSecure Frame Communication in Browsers Review
Secure Frame Communication in Browsers Review Network Security Instructor:Dr. Shishir Nagaraja Submitted By: Jyoti Leeka October 16, 2011 1 Introduction to the topic and the reason for the topic being
More informationOverview of SSL/TLS. Luke Anderson. 12 th May University Of Sydney.
Overview of SSL/TLS Luke Anderson luke@lukeanderson.com.au 12 th May 2017 University Of Sydney Overview 1. Introduction 1.1 Raw HTTP 1.2 Introducing SSL/TLS 2. Certificates 3. Attacks Introduction Raw
More informationIdentifying and Preventing Conditions for Web Privacy Leakage
Identifying and Preventing Conditions for Web Privacy Leakage Craig E. Wills Computer Science Department Worcester Polytechnic Institute Worcester, MA 01609 1 Position Statement Beyond tracking and proposals
More informationLecture 9a: Sessions and Cookies
CS 655 / 441 Fall 2007 Lecture 9a: Sessions and Cookies 1 Review: Structure of a Web Application On every interchange between client and server, server must: Parse request. Look up session state and global
More informationTop 10 Application Security Vulnerabilities in Web.config Files Part One
Top 10 Application Security Vulnerabilities in Web.config Files Part One By Bryan Sullivan These days, the biggest threat to an organization s network security comes from its public Web site and the Web-based
More informationAuthentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1
Authentication and Password CS166 Introduction to Computer Security 2/11/18 CS166 1 CIA Triad Confidentiality Prevent disclosure of information to unauthorized parties Integrity Detect data tampering Availability
More informationINTERNET ENGINEERING. HTTP Protocol. Sadegh Aliakbary
INTERNET ENGINEERING HTTP Protocol Sadegh Aliakbary Agenda HTTP Protocol HTTP Methods HTTP Request and Response State in HTTP Internet Engineering 2 HTTP HTTP Hyper-Text Transfer Protocol (HTTP) The fundamental
More informationLecture Overview. IN5290 Ethical Hacking
Lecture Overview IN5290 Ethical Hacking Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks Universitetet i Oslo Laszlo Erdödi How to use Burp
More informationLecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks
IN5290 Ethical Hacking Lecture 6: Web hacking 2, Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), Session related attacks Universitetet i Oslo Laszlo Erdödi Lecture Overview How to use Burp
More informationWhen HTTPS Meets CDN
When HTTPS Meets CDN A Case of Authentication in Delegated Service Jinjin Liang 1, Jian Jiang 1, Haixin Duan 1, Kang Li 2, Tao Wan 3, Jianping Wu 1 1 Tsinghua University 2 University of Georgia 3 Huawei
More informationSurvey of Existing CI Systems
Survey of Existing CI Systems We conducted a survey of existing systems on the web, to identify underlying principles. The list of systems is based on the Alexa Top 500 Ranking. Alexa ranks webpages according
More informationCOMP9321 Web Application Engineering
COMP9321 Web Application Engineering Semester 2, 2017 Dr. Amin Beheshti Service Oriented Computing Group, CSE, UNSW Australia Week 9 http://webapps.cse.unsw.edu.au/webcms2/course/index.php?cid=2465 1 Assignment
More informationTabular Presentation of the Application Software Extended Package for Web Browsers
Tabular Presentation of the Application Software Extended Package for Web Browsers Version: 2.0 2015-06-16 National Information Assurance Partnership Revision History Version Date Comment v 2.0 2015-06-16
More informationSecurity by Any Other Name:
Security by Any Other Name: On the Effectiveness of Provider Based Email Security Ian Foster, Jon Larson, Max Masich, Alex C. Snoeren, Stefan Savage, and Kirill Levchenko University of California, San
More informationWeb Application with AJAX. Kateb, Faris; Ahmed, Mohammed; Alzahrani, Omar. University of Colorado, Colorado Springs
Web Application with AJAX Kateb, Faris; Ahmed, Mohammed; Alzahrani, Omar University of Colorado, Colorado Springs CS 526 Advanced Internet and Web Systems Abstract Asynchronous JavaScript and XML or Ajax
More informationINSE Lucky 13 attack - continued from previous lecture. Scribe Notes for Lecture 3 by Prof. Jeremy Clark (January 20th, 2014)
INSE 6150 Scribe Notes for Lecture 3 by Prof. Jeremy Clark (January 20th, 2014) Lucky 13 attack - continued from previous lecture The lucky 13 attack on SSL/TLS involves an active attacker who intercepts
More informationWeb Application Whitepaper
Page 1 of 16 Web Application Whitepaper Prepared by Simone Quatrini and Isa Shorehdeli Security Advisory EMEAR 6 th September, 2017 1.0 General Release Page 2 of 16 1. Introduction In this digital age,
More informationCOMP9321 Web Application Engineering
COMP9321 Web Application Engineering Web Application Security Dr. Basem Suleiman Service Oriented Computing Group, CSE, UNSW Australia Semester 1, 2016, Week 8 http://webapps.cse.unsw.edu.au/webcms2/course/index.php?cid=2442
More informationFortify Software Security Content 2017 Update 4 December 15, 2017
Software Security Research Release Announcement Micro Focus Security Fortify Software Security Content 2017 Update 4 December 15, 2017 About Micro Focus Security Fortify SSR The Software Security Research
More informationConfiguring Request Authentication and Authorization
CHAPTER 15 Configuring Request Authentication and Authorization Request authentication and authorization is a means to manage employee use of the Internet and restrict access to online content. This chapter
More informationInformation Security CS 526 Topic 11
Information Security CS 526 Topic 11 Web Security Part 1 1 Readings for This Lecture Wikipedia HTTP Cookie Same Origin Policy Cross Site Scripting Cross Site Request Forgery 2 Background Many sensitive
More informationOWASP Top 10 The Ten Most Critical Web Application Security Risks
OWASP Top 10 The Ten Most Critical Web Application Security Risks The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain
More informationCNIT 129S: Securing Web Applications. Ch 3: Web Application Technologies
CNIT 129S: Securing Web Applications Ch 3: Web Application Technologies HTTP Hypertext Transfer Protocol (HTTP) Connectionless protocol Client sends an HTTP request to a Web server Gets an HTTP response
More informationWeb 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007
Web 2.0 and AJAX Security OWASP Montgomery August 21 st, 2007 Overview Introduction Definition of Web 2.0 Basics of AJAX Attack Vectors for AJAX Applications AJAX and Application Security Conclusions 1
More informationHacking Intranet Websites from the Outside
1 Hacking Intranet Websites from the Outside "JavaScript malware just got a lot more dangerous" Black Hat (Japan) 10.05.2006 Jeremiah Grossman (Founder and CTO) WhiteHat Security 2 WhiteHat Sentinel -
More informationWeb Security II. Slides from M. Hicks, University of Maryland
Web Security II Slides from M. Hicks, University of Maryland Recall: Putting State to HTTP Web application maintains ephemeral state Server processing often produces intermediate results; not long-lived
More informationWeb Security. Thierry Sans
Web Security Thierry Sans 1991 Sir Tim Berners-Lee Web Portals 2014 Customer Resources Managemen Accounting and Billing E-Health E-Learning Collaboration Content Management Social Networks Publishing Web
More informationCS Paul Krzyzanowski
Original Browser Static content on clients Servers were responsible for dynamic parts Computer Security 14. Web Security Security attacks were focused on servers Malformed URLs, buffer overflows, root
More informationComputer Security. 14. Web Security. Paul Krzyzanowski. Rutgers University. Spring 2018
Computer Security 14. Web Security Paul Krzyzanowski Rutgers University Spring 2018 April 15, 2018 CS 419 2018 Paul Krzyzanowski 1 Original Browser Static content on clients Servers were responsible for
More informationContent Security Policy
About Tim Content Security Policy New Tools for Fighting XSS Pentester > 10 years Web Applications Network Security Products Exploit Research Founded Blindspot Security in 2014 Pentesting Developer Training
More informationGrandstream Networks, Inc. UCM6100 Security Manual
Grandstream Networks, Inc. UCM6100 Security Manual Index Table of Contents OVERVIEW... 3 WEB UI ACCESS... 4 UCM6100 HTTP SERVER ACCESS... 4 PROTOCOL TYPE... 4 USER LOGIN... 4 LOGIN TIMEOUT... 5 TWO-LEVEL
More informationSecurity in a Mainframe Emulator. Chaining Security Vulnerabilities Until Disaster Strikes (twice) Author Tim Thurlings & Meiyer Goren
Security in a Mainframe Emulator Chaining Security Vulnerabilities Until Disaster Strikes (twice) Author Tim Thurlings & Meiyer Goren October 25, 2017 Table of Contents Introduction... 2 About this paper...
More informationOPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES
OPEN WEB APPLICATION SECURITY PROJECT OWASP TOP 10 VULNERABILITIES What is the OWASP Top 10? A list of the top ten web application vulnerabilities Determined by OWASP and the security community at large
More informationCombating Common Web App Authentication Threats
Security PS Combating Common Web App Authentication Threats Bruce K. Marshall, CISSP, NSA-IAM Senior Security Consultant bmarshall@securityps.com Key Topics Key Presentation Topics Understanding Web App
More informationCookies, sessions and authentication
Cookies, sessions and authentication TI1506: Web and Database Technology Claudia Hauff! Lecture 7 [Web], 2014/15 1 Course overview [Web] 1. http: the language of Web communication 2. Web (app) design &
More informationStorageGRID Webscale NAS Bridge Management API Guide
StorageGRID Webscale NAS Bridge 2.0.3 Management API Guide January 2018 215-12414_B0 doccomments@netapp.com Table of Contents 3 Contents Understanding the NAS Bridge management API... 4 RESTful web services
More informationExploiting and Defending: Common Web Application Vulnerabilities
Exploiting and Defending: Common Web Application Vulnerabilities Introduction: Steve Kosten Principal Security Consultant SANS Instructor Denver OWASP Chapter Lead Certifications CISSP, GWAPT, GSSP-Java,
More informationJOE WIPING OUT CSRF
JOE ROZNER @JROZNER WIPING OUT CSRF IT S 2017 WHAT IS CSRF? 4 WHEN AN ATTACKER FORCES A VICTIM TO EXECUTE UNWANTED OR UNINTENTIONAL HTTP REQUESTS WHERE DOES CSRF COME FROM? 6 SAFE VS. UNSAFE Safe GET HEAD
More informationApplication Security through a Hacker s Eyes James Walden Northern Kentucky University
Application Security through a Hacker s Eyes James Walden Northern Kentucky University waldenj@nku.edu Why Do Hackers Target Web Apps? Attack Surface A system s attack surface consists of all of the ways
More informationWeb Security. Course: EPL 682 Name: Savvas Savva
Web Security Course: EPL 682 Name: Savvas Savva [1] A. Barth and C. Jackson and J. Mitchell, Robust Defenses for Cross-Site Request Forgery, pub. in 15th ACM Conference, 2008. [2] L. Huang and A. Moshchuk
More informationAttacks Against Websites. Tom Chothia Computer Security, Lecture 11
Attacks Against Websites Tom Chothia Computer Security, Lecture 11 A typical web set up TLS Server HTTP GET cookie Client HTML HTTP file HTML PHP process Display PHP SQL Typical Web Setup HTTP website:
More informationExcerpts of Web Application Security focusing on Data Validation. adapted for F.I.S.T. 2004, Frankfurt
Excerpts of Web Application Security focusing on Data Validation adapted for F.I.S.T. 2004, Frankfurt by fs Purpose of this course: 1. Relate to WA s and get a basic understanding of them 2. Understand
More informationAndrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West
Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing Advancing Expertise in Security Testing Taming the Wild West Canberra, Australia 1 Who is this guy? Andrew
More informationAdvanced Web Technology 10) XSS, CSRF and SQL Injection
Berner Fachhochschule, Technik und Informatik Advanced Web Technology 10) XSS, CSRF and SQL Injection Dr. E. Benoist Fall Semester 2010/2011 1 Table of Contents Cross Site Request Forgery - CSRF Presentation
More informationTransport Layer Security
Transport Layer Security TRANSPORT LAYER SECURITY PERFORMANCE TESTING OVERVIEW Transport Layer Security (TLS) and its predecessor Secure Sockets Layer (SSL), are the most popular cryptographic protocols
More informationWeb Security Computer Security Peter Reiher December 9, 2014
Web Security Computer Security Peter Reiher December 9, 2014 Page 1 Web Security Lots of Internet traffic is related to the web Much of it is financial in nature Also lots of private information flow around
More informationLooking Forward: Challenges in Mobile Security. John Mitchell Stanford University
Looking Forward: Challenges in Mobile Security John Mitchell Stanford University Outline Mobile platform security SessionJuggler Using phone as authentication token SelectiveAuth Protecting resources on
More informationLECT 8 WEB SECURITY BROWSER SECURITY. Repetition Lect 7. WEB Security
Repetition Lect 7 LECT 8 WEB SECURITY Access control Runtime protection Trusted computing Java as basic model for signed code Trusted Computing Group TPM ARM TrustZone Mobile Network security GSM security
More informationStorageGRID Webscale 11.0 Tenant Administrator Guide
StorageGRID Webscale 11.0 Tenant Administrator Guide January 2018 215-12403_B0 doccomments@netapp.com Table of Contents 3 Contents Administering a StorageGRID Webscale tenant account... 5 Understanding
More informationWeb Security, Part 2
Web Security, Part 2 CS 161 - Computer Security Profs. Vern Paxson & David Wagner TAs: John Bethencourt, Erika Chin, Matthew Finifter, Cynthia Sturton, Joel Weinberger http://inst.eecs.berkeley.edu/~cs161/
More informationCS 142 Winter Session Management. Dan Boneh
CS 142 Winter 2009 Session Management Dan Boneh Sessions A sequence of requests and responses from one browser to one (or more) sites Session can be long (Gmail - two weeks) or short without session mgmt:
More informationThe Top 6 WAF Essentials to Achieve Application Security Efficacy
The Top 6 WAF Essentials to Achieve Application Security Efficacy Introduction One of the biggest challenges IT and security leaders face today is reducing business risk while ensuring ease of use and
More informationCopyright
1 Security Test EXTRA Workshop : ANSWER THESE QUESTIONS 1. What do you consider to be the biggest security issues with mobile phones? 2. How seriously are consumers and companies taking these threats?
More informationWHITEPAPER. Vulnerability Analysis of Certificate Validation Systems
WHITEPAPER Vulnerability Analysis of Certificate Validation Systems The US Department of Defense (DoD) has deployed one of the largest Public Key Infrastructure (PKI) in the world. It serves the Public
More informationOffice 365 Buyers Guide: Best Practices for Securing Office 365
Office 365 Buyers Guide: Best Practices for Securing Office 365 Microsoft Office 365 has become the standard productivity platform for the majority of organizations, large and small, around the world.
More informationA Simple Course Management Website
A Simple Course Management Website A Senior Project Presented to The Faculty of the Computer Engineering Department California Polytechnic State University, San Luis Obispo In Partial Fulfillment Of the
More information